Indico missing access check in event series management API
Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict access to the series management API endpoint.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
indicoPyPI | < 3.3.11 | 3.3.11 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rfpp-2hgm-gp5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28352ghsaADVISORY
- github.com/indico/indico/releases/tag/v3.3.11ghsax_refsource_MISCWEB
- github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.